The new Data (Access and Use) Act – test your knowledge!

Are these statements true or false?

1. The new law comes into force in stages.

• • This one’s true.
  • A few parts of the new law are now in force, most usefully the formal confirmation that the searches organisations must make in response to a subject access request just have to be ‘reasonable and proportionate’. This applies retrospectively, from 1 January 2024.
  • But most of it isn’t in force. The Information Commissioner’s new powers to send Data Protection Act notices by email, and to demand documents, come into force on 19 August 2025. Further laws called commencement orders will bring the remaining parts into force in stages. We don’t yet know when that will be.

2. The data protection reforms in this law are identical to those proposed by the previous Government.

• • There are several similarities between this law and the one the Conservative Government proposed, for example the Information Commissioner’s Office will become the Information Commission, aligning it to the form of other UK regulators.
  • But it’s not identical: for example, it doesn’t replace the role of data protection officer with a senior responsible individual officer.
  • So this one’s false.

3. The new law won’t change privacy notices.

• • This one’s also false.
  • There will be a new right for individuals to complain to an organisation about its breach of UK GDPR. Individuals will need to be told about this new right to complain in the organisation’s privacy notice. The organisation will need to facilitate the making of complaints, for example by providing an online complaints form, and to implement the complaints process set out in the new law.
  • There are updated requirements about the secondary use of personal data for research and statistical purposes, which may also need to be reflected in privacy notices.

4. Businesses will now have a completely free rein with website cookies – no more annoying cookie banners!

• • There will be some loosening of the cookie rules but it won’t be a free for all.
  • Any use of cookies for marketing purposes (including analytic cookies used for marketing purposes) will still need to be opt-in.
  • If you’re just using analytic cookies to improve the website (and no other purpose), you will be able to make that opt out, as long as you satisfy certain requirements.
  • On the other hand, the maximum fines for breach of the cookie rules and e-marketing rules will be increased to UK GDPR level fines (the higher of £17.5m or 4% of turnover). The old £500,000 maximum will be scrapped.
  • The new law has some future-proofing baked in, so it’s doesn’t just catch cookies (or just catch websites), and there’s a mechanism for the law to be changed in future.
  • Helpfully, it also lists some types of cookie use that are ‘strictly necessary’, so won’t need opt-in or opt-out consent. That includes automatically authenticating the website visitor’s identity and keeping a record of their preferences.
  • So this one is false too (you guessed that didn’t you!).

5. There’s nothing in the new law about copyright and AI.

• • Not entirely true. The House of Lords wanted a law passed to require operators of web crawlers and general-purpose AI models to comply with UK copyright law throughout the entire lifecycle of the AI model. The Lords also wanted a law passed to provide transparency about crawler identity and purpose, as well as about copyright works scraped.
  • That’s been put on the back burner. But the Government will publish an economic impact assessment and a report on the use of copyright works in developing AI systems in the coming months, with a progress report in 6 months’ time.
  • This seems sensible as there are currently AI copyright decisions going through the courts both here and the US. They may help determine what happens next.
  • There is some loosening on significant decisions made using AI, which, as long as no sensitive data is involved, won’t need to fit into one of the current three narrow categories of being: based on the individual’s explicit consent, needed for a contract with the individual or required or authorised by a law which protects the individual.

6. The new law covers areas outside of data protection and privacy.

• • This one’s true.
  • As well as making changes to the UK GDPR and Data Protection Act, the new law also covers smart data (expanding the existing UK GDPR right to data portability), plans for a national map of underground pipes and cables, and digital verification services, among other things.

7. International data transfers will have a new test.

• • That’s true, there will be a new ‘data protection test’, which was originally in the Conservative Government’s draft law.
  • The Secretary of State will use this test when making ‘adequacy decisions’: special laws that say another’s country’s laws provide adequate protection, allowing personal data to flow freely from the UK to that country. The data protection test is whether the standard of protection in the other country for individuals when processing their personal data is ‘not materially lower’ than the standard under the UK GDPR.
  • This sounds like a big departure from the European approach, as the European test is one of ‘essential equivalence’, with the surveillance practices of the other country’s Government taking centre stage in determining the fate of previous adequacy decisions that were tested in the European court. However key components from the old test, including the rule of law, human rights, a supervisory authority, onward transfers and judicial redress, are all parts of the new data protection test.
  • Adequacy decisions have a new name too: ‘regulations under Article 45A’.
  • More generally, the data transfer chapter in the UK GDPR has been given a spring clean. There is more clarity and precision, but there are also more tools in the Government’s toolbox to help navigate this data protection minefield.

8. The UK’s adequacy decision from Europe is completely safe, right?

• • This is the EU law that allows the free flow of personal data from Europe to the UK.
  • It’s too early to say. The European Commission will let us know by 27 December 2025.
  • The Government is likely to have kept the European Commission fully informed of its proposed changes to data protection law, and dropping some of the more controversial proposals like the replacement of data protection officers should be a big plus.
  • But digital rights activists have criticised the new law’s changes to AI decisions and international data transfers, for example, as well as changes that give the UK Government more powers. They don’t think the Information Commission will be sufficiently independent of Government.
  • However, the threats to the UK’s free flow of data from Europe may also come from other sources. Digital rights activists cite the UK’s surveillance law notice to Apple to facilitate access to encrypted iCloud data, the UK Government’s proposed sharing of border control data with the intelligence services and its proposed powers to compel banks to provide information on individuals’ bank accounts and to allow the algorithmic scanning of bank accounts to identify suspects, as areas of concern.
  • Ultimately though, the hope is that the new law is seen as an evolution rather than revolution in the UK’s data protection and privacy landscape, and a welcome one at that. As the European Commission is looking to simplify the EU GDPR, maybe the UK will act as Europe’s sandbox, to see how the changes work out in practice before introducing any reforms themselves.

That’s the end of the quiz. Well done!

To discuss anything in this article, please contact Judy Baker.